Hijacking the Mazda LCD display

[Pieter] is in the process of adding a turbo package to his ride. He needed a status display for the boost but didn’t have a good way to mount an additional display. He came up with the idea of using the LCD screen that’s already in the dashboard, but the specs for it were not available. Wielding his hard-earned hacking skills [Pieter] used a logic analyzer to sniff out the communications to the screen. He built a controller board that overrides the data coming in from the head unit. The board is also able to query the car’s computer for data and display it in any format you want. What he ends up with is a stock look that he can customize for his needs. Nice!

74 thoughts on “Hijacking the Mazda LCD display”

Comment navigation

I really admire this kind of work because IMO it’s the best way to go. It hides under the dashboard and the turbo under the hood. It looks like anyone else’s car, so it doesn’t stick out as something Joe Criminal should steal, but it still has added functionality that’s so smooth it could have (and should have; wtf is up with automakers?) been done that way from the factory.

It’s uncanny how hackaday picks up on obscure projects I have kicking around my head. A couple months back it was the guy who data logged his indoor bike trainer, and now this guy does it to his RX-8. I’ve always wanted to make my own iPod interface for my car, but I didn’t know the protocol at the time. I emailed some guy who apparently knew, but he wanted to charge me.

@ksmith: Do you mean the protocols for whatever system you have in your car or for the iPod? I’m in the process of doing something similar (or was until work got in the way) and found the iPod protocols fairly easily, it’s just an adaptation of RS232. Let me know if you’re interested and I’ll find ‘em for you.

Most of us are like this here, with obscure niche inventions and ideas that this year’s teenagers will eventually neglect to appreciate when they become mainstream, guys :( just like you, you can’t imagine how many times I’ve wished I had extra money for patent protection and then been like DAMN. Most recently I met a flywheel-powered push lawnmower that I wrote about in a text document on my website two years ago.

No source code? Awesome hack, but the protocol information should be shared somewhere. I’ve seen some people work on this Mazda databus before awhile back and I’ve personally done some decoding on the RX-8 navigation controls. Maybe author could use these controls for more OEM interface/look?

Now this is a REAL hack. I am always impressed by people willing to go to these lengths to make something like this work. I have reverse engineered the OTC Genisys line of automotive scan tools, so I am always fond of automotive hacks :)

Out of curiosity, anyone else here own a Genisys, and have you reverse engineered it at all? I have mine authorized for most all of the applications, all I had to buy was the cables and smart inserts, and I got the scan tool itself from eBay for under $400!

I noticed several of your posts about OTC Genisys, I have an Older genisys, Pre 2.0, Although I was able to do a bit copy of a friends CF card to get 2.0. I tried several ways to unlock things, Maybe you can help, if your willing. I know this post is old so im not sure if you will ever get this.

and you call yourself a hacker? ;)
But seriously, I wonder if the protocol is similar for other Mazdas of this vintage.
I had a 2004 mazda6s wagon (and miss it as well) and now own a 2008 CX-7. My teenage daughters complain that I don’t have RDS display in my car.
If I was ambitious I’d add that functionality, as well as indoor/outdoor temp readings to my display. Oh and ipod functionality would be cool too. Hmmmmm

@strider
Calling me a troll is far more immature and troll-ish than me pointing out my view of a hack, which you disagree with.

I’m sorry, the whole world doesn’t agree with you. I hope it didn’t pop your imaginary world bubble.

@Cromag
Dude, if you want to void warranty on a $40,000 car, go ahead. I’d at least try it out first on a used pile or better yet a junker. One wrong connection on those boards can feed power into the CPU and fry a lot more than the display.

Judging by my experiences with car dealerships (and being an ASE Master Auto Tech for almost 10 years myself) I would say that the dealership wouldn’t notice. They avoid getting under the dash at all costs, and with satellite radio add-ons and such, it’s pretty common to have people come in to the dealership with aftermarket electronics added under the dash. Unless they had to service/replace the LCD module itself, they would never know.

You have to realize, todays mechanics are a different breed, most are trained to replace individual modules when they fail, and few understand how those modules actually work, and how they all talk to each other. The only ones that *do* understand are the few-and-far-between rockstar driveability techs, and geeks like me that have diverse and out of control hobbies.

Not to mention the fact that [Pieter] is installing a turbo in his Mazda. I don’t think he is worried about the warranty ;)

this sir has inspired me
my car also has a lcd display and I
have been looking for a good way to add a few guages to my mega squirt setup
never even though about polling the can network
and pumping it out on my stock lcd

True, it is your opinion and in America you are entitled to it, and i respect that. But when you “disagree” with 99% of the posts on this site…In a not-so-helpful way…It’s not hard for a group of hackers to put two and two together.

If it sounds like a troll, acts like a troll, then it must be a TROLL.

Man, that would be some work. I have gigabytes of communication logs, flash images, and random linux crap. They run on Lynx, a linux RTOS. I started playing around with a MAC mentor, which is the same as the original Genisys, and I later got a newer tool on eBay that has the faster processor in it (has shiny buttons instead of dull). They have since released at least 2 newer models, but I think they are all pretty much the same.

My reverse engineering goes as far as manually flashing the tool for newer OS’es, and cracking the software to authorize all of the applications. I am kind of hesitant to say anything about how I cracked the apps since that would definitely be covered by software piracy laws…

It wasn’t that hard. The machine has a linux console that is accessible through the RJ45 port on top, using your average terminal emulation software. I believe the settings are 9600-n-8-1 for the serial port, I’d have to double check, it’s been a while. I would be cool to get some people working on some custom software for these tools, there are a lot of them floating around out there, and they have a ton of potential.

Most car electronics are designed to survive shorts to ground and battery on every pin, and sometimes double or reversed battery on the at least the power/ground pins to handle various situations when the car is jumped improperly or by a semi w/ two batteries or something.

Bootloader? On the CF card? There is no bootloader on the CF card that I have seen. The operating system is contained on that card. Every time you boot, it loads the OS and various drivers, programs the on board FPGA’s, and then loads the scan tool utility.

well tried to upload new updates to an aftermarket CF card on my genisys and it froze. OTC wants me to send it in to repair so any one who has claimed cracking the unit(Jake) andy help would be appreciated.

I am looking for info on how to transfer applications on the genisys, one of my units has quit turning on, and i need to transfer my applications to my other tool, as i dont want to rebuy them. anyone have any info how to do it? OTC says i have to buy then all over again…

I am in need of some info on the genisys as well, i have two scanners, only one that had european and asian. the one with euro and asian died, and OTC won’t help to transfer the applications to the working unit. anyone know how to do it through the serial port or something?

Once the smart card is registered to one tool, it can not be used on another as the tool’s serial number is burned on the smart card. I suppose that you could find where in the device the serial number is stored, and try to remove that IC and change the data within it, but I suspect that would be one of the flash chips (there are several) and you would risk doing much more harm than good.

jake if you have reflashed oses on scan tools did you do it through a MAC computer seeing how it is linux(unix) based OS? currently my scanner wont boot due to bad flash do you have the bootloader by any chance. Any help would be appreciated jake

As far as the flash is concerned, are you talking about the on-board flash chips or the CompactFlash card in the unit? The CompactFlash can be fixed. If your onboard flash is corrupt, then it may be easier to just send it in, I really don’t have the time to figure out how to bootload that part of the device.

Leave me a message on here, I’ll check back in a few days to see if anyone is still having trouble.

I can’t support anyone on this. Looking in to it and any way you look at it, it’s software piracy, piracy of a company’s product that I am very loyal to. There is no way that you can twist this to call it “innocent hacking”, etc. OTC has a lot of money and a lot of lawyers, and seeing that no one but me (in the world, lol) has truly cracked this tool, I am NOT going to make myself a target. Good luck guys.

I REALIZE LOOKING BACK AT ONES COMMENTS CAN SHOW TERMS FOR LITIGATION, IN ALL HONESTY NATO DID YOU SUCCESSFULLY CRACK THE TOOL? YOU DONT HAVE TO REPLY WITH A YES FOR REASON OF SELF INCRIMINATION BUT I AM JUST CURIOUS…FOR ALL OTHERS READING I HAVE THREE TOOLS 1 OF WHICH IS WORKING AND I AM VERY DETERMINED TO CRACK THE TOOL..FEEL FREE TO CHIME IN IF YOU OWN A GENISYS/DETERMINATOR/MENTOR/TECHFORCE BUT PLEASE REALIZE THAT IN ORDER TO SUCCESSFULLY UNLOCK/CRACK/BREAK/UPDATE/ROOT THE DEVICE YOU NEED TO KNOW WHAT YOUR TALKING ABOUT AND HOW THE OS BOOTLOADER FPGA MICROPROCESSOR DRAM SRAM RTOS UNIX IEEE AND SUCH OPERATE..ANYONE WITH ME ON THIS???

Sounds like you’ve been putting some work in to it. If you have gained root access, then you should know the first and last characters of the root password. Post them here. If you are correct, I’ll post my email and we can discuss this somewhere else.

I have been working on my Genisys for a while, It’s nice to finally find someone who know’s something. Several years ago I used a sniffer when updating my Tool, Back when it was v1.9 I believe, Did a CF bitcopy of a friends 2.0. I need to dig through all the paperwork I wrote but I will provide the Pass NATO, If interested I would like to communicate via email.

actually what i did to gain root access is look up the installation manual for lynx os and found a default account user name and password that worked, then used the update routine in the tool to upload a script to reset the root account password.

Back in the day when I first started to look for things I couldn’t find anything, After seeing Jake/Nato’s comments it got me reinvigorated to play again. I can’t believe how much info I can find now. Looking up US patents can be a nice resource for some :)